How to make a secure Facebook Flash game
Posted May 21, 2010 by Nick Vogt in Programming
One of the advantages to making web games for Facebook is that you can utilize the Facebook user_id to uniquely identify users of your game without them having to log in. This makes it easy for them to access your game and continue where they left off. For PHP/JavaScript browser games, this is secure and works well as is; however, for Flash games it presents a problem.
The problem stems from having to pass the user_id into the embedded Flash game via the query string or through the flashvars, in order for the Flash game to know whose account to access in the database. Since this information is readily available in the page's source code, it can allow someone to easily access someone else's game account if they have obtained their Facebook user_id. There are several solutions to this problem, and I will outline them from OK to Best below:
OK Solution: The first time users access your Facebook game, have them create a user name and password using a normal HTML form while on the PHP page. Store their user name and password, along with the Facebook user_id and other pertinent information in your database, and do not pass any user-related variables into the Flash game. Then utilize a log in interface inside your Flash game to authenticate the user.
This method is secure, but is not very user friendly as it requires quite a bit of additional user input before they can play the game.
Good Solution: When users navigate to your game for the first time, authenticate them like normal on the PHP page and then create a random, unique id for them. Let's call it gamer_id. Store this gamer_id in the database along with the Facebook user_id, and only pass the gamer_id into the Flash game via query string or flashvars.
This method is fairly secure because, unlike the Facebook user_id, nobody else will know another user's randomly generated gamer_id, unless they have physical access to their computer. This method is very user friendly because the authentication and gamer_id generation can be done automatically in PHP, so the user can access the Flash game with no delay or input required.
Better Solution: This solution is similar to the above solution. Instead of only creating the random gamer_id for a user once, have the PHP script create a new gamer_id every time a user navigates to the game, and store the new gamer_id in the database (overwriting the old gamer_id). This is more secure because if someone manages to obtain someone else's gamer_id, it will be unusable the next time that user logs into the game.
Best Solution: The above solution still has a loop hole. Users can log into someone else's game as long as they have their gamer_id and the legitimate user has not logged back into their game since. We need to make it so that the gamer_id can only be used once to open the game, and then it will be invalid after that. To do this, simply create a gamer_id_old column in your database. When the Flash game opens up, have it use the gamer_id to pull up the user's database entry and then check the gamer_id against the gamer_id_old. If they are different, load the current gamer_id into the gamer_id_old and continue loading the game. If the gamer_id matches the gamer_id_old, then send an error message to the user and do not access the database.
This solution is fully secure and user friendly, though it requires a bit more coding. An added bonus to this solution is that you can easily make it so that there can never be two instances of the game running with the same user information at the same time. It will also require that the user access your game only from your Facebook PHP page, and they will not be able to access the game remotely or offline.
Example:
User navigates to the main PHP page, usually from a Facebook bookmark. The PHP page runs the Facebook authentication to validate the user. Once the user is validated, create a random gamer_id using uniqid() or a combination of functions. Check the database to make sure that the gamer_id isn't already being used. If it isn't, load the gamer_id into the database for that user, overwriting their current gamer_id. Pass only the gamer_id into the embedded Flash game. Once the Flash game starts, have it check the database for the gamer_id and compare it to the gamer_id_old for that user. If they do not match then set gamer_id_old to gamer_id and start the game. If they do match, then the user has already attempted to open the game using that gamer_id. Send them back to your PHP page or give them an error message.
The problem stems from having to pass the user_id into the embedded Flash game via the query string or through the flashvars, in order for the Flash game to know whose account to access in the database. Since this information is readily available in the page's source code, it can allow someone to easily access someone else's game account if they have obtained their Facebook user_id. There are several solutions to this problem, and I will outline them from OK to Best below:
OK Solution: The first time users access your Facebook game, have them create a user name and password using a normal HTML form while on the PHP page. Store their user name and password, along with the Facebook user_id and other pertinent information in your database, and do not pass any user-related variables into the Flash game. Then utilize a log in interface inside your Flash game to authenticate the user.
This method is secure, but is not very user friendly as it requires quite a bit of additional user input before they can play the game.
Good Solution: When users navigate to your game for the first time, authenticate them like normal on the PHP page and then create a random, unique id for them. Let's call it gamer_id. Store this gamer_id in the database along with the Facebook user_id, and only pass the gamer_id into the Flash game via query string or flashvars.
This method is fairly secure because, unlike the Facebook user_id, nobody else will know another user's randomly generated gamer_id, unless they have physical access to their computer. This method is very user friendly because the authentication and gamer_id generation can be done automatically in PHP, so the user can access the Flash game with no delay or input required.
Better Solution: This solution is similar to the above solution. Instead of only creating the random gamer_id for a user once, have the PHP script create a new gamer_id every time a user navigates to the game, and store the new gamer_id in the database (overwriting the old gamer_id). This is more secure because if someone manages to obtain someone else's gamer_id, it will be unusable the next time that user logs into the game.
Best Solution: The above solution still has a loop hole. Users can log into someone else's game as long as they have their gamer_id and the legitimate user has not logged back into their game since. We need to make it so that the gamer_id can only be used once to open the game, and then it will be invalid after that. To do this, simply create a gamer_id_old column in your database. When the Flash game opens up, have it use the gamer_id to pull up the user's database entry and then check the gamer_id against the gamer_id_old. If they are different, load the current gamer_id into the gamer_id_old and continue loading the game. If the gamer_id matches the gamer_id_old, then send an error message to the user and do not access the database.
This solution is fully secure and user friendly, though it requires a bit more coding. An added bonus to this solution is that you can easily make it so that there can never be two instances of the game running with the same user information at the same time. It will also require that the user access your game only from your Facebook PHP page, and they will not be able to access the game remotely or offline.
Example:
User navigates to the main PHP page, usually from a Facebook bookmark. The PHP page runs the Facebook authentication to validate the user. Once the user is validated, create a random gamer_id using uniqid() or a combination of functions. Check the database to make sure that the gamer_id isn't already being used. If it isn't, load the gamer_id into the database for that user, overwriting their current gamer_id. Pass only the gamer_id into the embedded Flash game. Once the Flash game starts, have it check the database for the gamer_id and compare it to the gamer_id_old for that user. If they do not match then set gamer_id_old to gamer_id and start the game. If they do match, then the user has already attempted to open the game using that gamer_id. Send them back to your PHP page or give them an error message.
| Tags | facebook flash |
|---|
Comment on this post
Legacy Comments (2)
Daniel | October 26, 2010 | 8:32 AM PST
Or you could just use PHP sessions with a custom login, then when you populate your flash app, your app can fetch a json object from your api based on the session / or use a Facebook cookie client side to the same effect
dsadasdasdas | July 9, 2010 | 4:35 AM PST
omg why is it so hard to make a game!@#!@#!@